diff --git a/fili/services/factorio.nix b/fili/services/factorio.nix index 4fa19d1..eadd90c 100644 --- a/fili/services/factorio.nix +++ b/fili/services/factorio.nix @@ -1,7 +1,8 @@ -{ lib -, pkgs -, config -, ... +{ + lib, + pkgs, + config, + ... }: let factorioVersion = @@ -60,10 +61,11 @@ let privateUsers = "no"; config = - { config - , pkgs - , lib - , ... + { + config, + pkgs, + lib, + ... }: { systemd.services.factorio.serviceConfig.User = "factorio"; @@ -105,19 +107,18 @@ in }; containers = - factorioContainer "tawney" - { - autosave-interval = 20; - admins = [ - "jonay2000" - "computerdruid" - "pineapple" - ]; - extraSettingsFile = config.sops.secrets.factorio.path; - # mods = getMods ../../factorio-mods/tawney; - package = factorioVersion "2.0.69" "sha256-I1FHuz7WtfCmmTiTxskv3+U1upWrhmBG9R+GUoS1c0E="; - port = 20001; - } + factorioContainer "tawney" { + autosave-interval = 20; + admins = [ + "jonay2000" + "computerdruid" + "pineapple" + ]; + extraSettingsFile = config.sops.secrets.factorio.path; + # mods = getMods ../../factorio-mods/tawney; + package = factorioVersion "2.0.69" "sha256-I1FHuz7WtfCmmTiTxskv3+U1upWrhmBG9R+GUoS1c0E="; + port = 20001; + } // factorioContainer "snek" { autosave-interval = 20; admins = [ diff --git a/fili/services/forgejo.nix b/fili/services/forgejo.nix index 5293333..d6f62bc 100644 --- a/fili/services/forgejo.nix +++ b/fili/services/forgejo.nix @@ -1,8 +1,9 @@ -{ lib -, pkgs -, config -, flakes -, ... +{ + lib, + pkgs, + config, + flakes, + ... }: let cfg = config.services.forgejo; diff --git a/fili/services/media/default.nix b/fili/services/media/default.nix index e644e91..35620cb 100644 --- a/fili/services/media/default.nix +++ b/fili/services/media/default.nix @@ -5,6 +5,6 @@ _: { ./sonarr.nix ./torrent.nix ./jackett.nix - ./plex.nix + ./jellyfin.nix ]; } diff --git a/fili/services/media/jellyfin.nix b/fili/services/media/jellyfin.nix new file mode 100644 index 0000000..1778dca --- /dev/null +++ b/fili/services/media/jellyfin.nix @@ -0,0 +1,145 @@ +{ pkgs, lib, config, ... }: +let + jellyfin-config = '' + + { + "includeCorsCredentials": false, + "multiserver": false, + "themes": [ + { + "name": "Apple TV", + "id": "appletv", + "color": "#bcbcbc" + }, { + "name": "Blue Radiance", + "id": "blueradiance", + "color": "#011432" + }, { + "name": "Dark", + "id": "dark", + "color": "#202020", + "default": true + }, { + "name": "Light", + "id": "light", + "color": "#303030" + }, { + "name": "Purple Haze", + "id": "purplehaze", + "color": "#000420" + }, { + "name": "WMC", + "id": "wmc", + "color": "#0c2450" + } + ], + "menuLinks": [ + { + "name": "Link SSO Account", + "icon": "add_link", + "url": "https://media.donsz.nl/SSOViews/linking" + } + ], + "servers": [], + "plugins": [ + "playAccessValidation/plugin", + "experimentalWarnings/plugin", + "htmlAudioPlayer/plugin", + "htmlVideoPlayer/plugin", + "photoPlayer/plugin", + "comicsPlayer/plugin", + "bookPlayer/plugin", + "youtubePlayer/plugin", + "backdropScreensaver/plugin", + "pdfPlayer/plugin", + "logoScreensaver/plugin", + "sessionPlayer/plugin", + "chromecastPlayer/plugin", + "syncPlay/plugin" + ] + } + + ''; +in +{ + environment.systemPackages = [ + pkgs.jellyfin + pkgs.jellyfin-web + pkgs.jellyfin-ffmpeg + ]; + + services.nginx.virtualHosts."media.donsz.nl" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:8096"; + extraConfig = '' + proxy_buffering off; + ''; + }; + locations."/socket" = { + inherit (config.services.nginx.virtualHosts."media.donsz.nl".locations."/") + proxyPass + ; + proxyWebsockets = true; + }; + }; + + users.groups.jellyfin = { }; + users.users.jellyfin = { + isSystemUser = true; + group = "jellyfin"; + + extraGroups = [ "storage" ]; + }; + + services.nginx.virtualHosts."media.donsz.nl".locations."/web/config.json".extraConfig = '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${jellyfin-config}'; + ''; + + services.jellyfin = { + enable = true; + openFirewall = true; + user = "jellyfin"; + group = "jellyfin"; + }; + + # Only set this if you're using intel-vaapi-driver (see below): + nixpkgs.config.packageOverrides = pkgs: { + intel-vaapi-driver = pkgs.intel-vaapi-driver.override { enableHybridCodec = true; }; + }; + + systemd.services.jellyfin.environment.LIBVA_DRIVER_NAME = "iHD"; # or i965, see below + environment.sessionVariables = { LIBVA_DRIVER_NAME = "iHD"; }; # ditto + + hardware.graphics = { + enable = true; + + extraPackages = with pkgs; [ + intel-ocl + intel-media-driver + intel-media-sdk + ]; + }; + + + # hardware.graphics = { + # enable = true; + # package = pkgs.intel-media-driver; + # }; + # systemd.services.jellyfin = { + # # if EncoderAppPath is manually set in the web UI, it can never be updated through --ffmpeg + # preStart = "test ! -e /var/lib/jellyfin/config/encoding.xml || sed -i '//d' /var/lib/jellyfin/config/encoding.xml"; + # serviceConfig = { + # # allow access to GPUs for hardware transcoding + # DeviceAllow = lib.mkForce "char-drm"; + # BindPaths = lib.mkForce "/dev/dri"; + # # to allow restarting from web ui + # Restart = lib.mkForce "always"; + + # Slice = "mediaplayback.slice"; + # }; + # }; +} diff --git a/fili/services/media/plex.nix b/fili/services/media/plex.nix deleted file mode 100644 index 605882d..0000000 --- a/fili/services/media/plex.nix +++ /dev/null @@ -1,82 +0,0 @@ -_: { - services.plex = { - enable = true; - openFirewall = true; - user = "jellyfin"; - }; - - users.groups.jellyfin = { }; - users.users.jellyfin = { - isSystemUser = true; - group = "jellyfin"; - - extraGroups = [ "storage" ]; - }; - - services.nginx = { - virtualHosts."media.donsz.nl" = { - forceSSL = true; - http2 = true; - enableACME = true; - extraConfig = '' - #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause - send_timeout 100m; - - # Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/ - ssl_stapling on; - ssl_stapling_verify on; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; - #Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384. - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; - - # Forward real ip and host to Plex - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $server_addr; - proxy_set_header Referer $server_addr; - proxy_set_header Origin $server_addr; - - # Plex has A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off. - gzip on; - gzip_vary on; - gzip_min_length 1000; - gzip_proxied any; - gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml; - gzip_disable "MSIE [1-6]\."; - - # Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones. - # Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more - client_max_body_size 100M; - - # Plex headers - proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier; - proxy_set_header X-Plex-Device $http_x_plex_device; - proxy_set_header X-Plex-Device-Name $http_x_plex_device_name; - proxy_set_header X-Plex-Platform $http_x_plex_platform; - proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version; - proxy_set_header X-Plex-Product $http_x_plex_product; - proxy_set_header X-Plex-Token $http_x_plex_token; - proxy_set_header X-Plex-Version $http_x_plex_version; - proxy_set_header X-Plex-Nocache $http_x_plex_nocache; - proxy_set_header X-Plex-Provides $http_x_plex_provides; - proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor; - proxy_set_header X-Plex-Model $http_x_plex_model; - - # Websockets - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - # Buffering off send to the client as soon as the data is received from Plex. - proxy_redirect off; - proxy_buffering off; - ''; - locations."/" = { - proxyPass = "http://[::1]:32400"; - }; - }; - }; -} diff --git a/fili/services/websites/homepage.nix b/fili/services/websites/homepage.nix index 3de7867..291dd5a 100644 --- a/fili/services/websites/homepage.nix +++ b/fili/services/websites/homepage.nix @@ -7,7 +7,16 @@ enableACME = true; locations."/" = { - root = flakes.homepage.packages.${pkgs.system}.website; + root = "${flakes.homepage.packages.${pkgs.system}.website}/normal"; + }; + }; + virtualHosts."gay.donsz.nl" = { + forceSSL = true; + http2 = true; + enableACME = true; + + locations."/" = { + root = "${flakes.homepage.packages.${pkgs.system}.website}/gay"; }; }; virtualHosts."jdonszelmann.nl" = { @@ -16,7 +25,7 @@ enableACME = true; locations."/" = { - root = flakes.homepage.packages.${pkgs.system}.website; + root = "${flakes.homepage.packages.${pkgs.system}.website}/normal"; }; }; }; diff --git a/fili/services/websites/mapf.nix b/fili/services/websites/mapf.nix index a86e087..ff4173a 100644 --- a/fili/services/websites/mapf.nix +++ b/fili/services/websites/mapf.nix @@ -1,7 +1,8 @@ -{ config -, flakes -, pkgs -, ... +{ + config, + flakes, + pkgs, + ... }: { sops.secrets.mapf = { diff --git a/flake.lock b/flake.lock index 142f716..eac79f6 100644 --- a/flake.lock +++ b/flake.lock @@ -209,11 +209,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1761038066, - "narHash": "sha256-YPSW9CZpcDdDpJ0SCOB5Y/oP/7Ijhm3AjN8PF6472YI=", + "lastModified": 1761082106, + "narHash": "sha256-5L2gGjZYBy40Bj61dM1UFJG7uTCOMbL1S3c8cfIbbv8=", "owner": "jdonszelmann", "repo": "homepage", - "rev": "0e99242648d9ff015773b661cc2888baa4f6acb0", + "rev": "1263f29f1db9d695f311a346b4c150170f91400b", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 49f9ef5..44fe316 100644 --- a/flake.nix +++ b/flake.nix @@ -17,14 +17,15 @@ compiler-construction-2021.url = "git+ssh://forgejo@git.donsz.nl/jana/eelco-visser-compiler-construction.git"; }; outputs = - { self - , nixpkgs - , colmena - , flake-utils - , sops-nix - , vpn-confinement - , mapf - , ... + { + self, + nixpkgs, + colmena, + flake-utils, + sops-nix, + vpn-confinement, + mapf, + ... }@inputs: let pkgsForSystem =